Splunk Search

Search Heads in cluster are not able to replicate properly

MousumiChowdhur
Contributor

Hi!

There are 2 search heads in our production cluster. We have implemented Alert Manager app in our SH and it incorporates alert manager specific lookups,Data Models and event types. Some of the functionalities of this app and dashboards are not getting replicated properly in all our search heads. In addition to this we are also facing few scenario's where the dashboards data are not getting replicated properly.

We have increased the distsearch's default size to 3 Gb but still some times we have to face the above issue.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi MousumiChowdhury,
remember that not all the objects are replicated between Search Heads, only the "Knowledge" part (Left Up) of the Settings Panel.
Which functionlities aren't replicated?
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi MousumiChowdhury,
remember that not all the objects are replicated between Search Heads, only the "Knowledge" part (Left Up) of the Settings Panel.
Which functionlities aren't replicated?
Bye.
Giuseppe

0 Karma

MousumiChowdhur
Contributor

Hi,

I'm not able to see few of the dashboard panels data. When a user logs in through DNS and searches for a dashboard, his request hits either of the search heads. If it hits where dashboard or panel data is not replicated, he is not able to see anything in this case. Whereas, If the request hits the SH where data is present, user is able to see data in the dashboard.

0 Karma

MousumiChowdhur
Contributor

Hi Cusello,

I have found that, my lookups are not getting replicated between search heads. On one of my search heads the number of lookups are more than that of the other search head.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Yes this is the result of unallignment of Search Heads.
You should understand which are the Knowledge Objects of Alert Manager App not replicated between SearchHeads.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...